Vendor the external cookbooks

Knife-Zero doesn't include Berkshelf support, so vendoring everything in
the repo is convenient again

cookbooks/firewall/attributes/default.rb

@@ -0,0 +1,5 @@
+default['firewall']['allow_ssh'] = false
+default['firewall']['allow_winrm'] = false
+default['firewall']['allow_mosh'] = false
+default['firewall']['allow_loopback'] = false
+default['firewall']['allow_icmp'] = false

cookbooks/firewall/attributes/firewalld.rb

@@ -0,0 +1 @@
+default['firewall']['firewalld']['permanent'] = false

cookbooks/firewall/attributes/iptables.rb

@@ -0,0 +1,17 @@
+default['firewall']['iptables']['defaults'][:policy] = {
+  input: 'DROP',
+  forward: 'DROP',
+  output: 'ACCEPT',
+}
+default['firewall']['iptables']['defaults'][:ruleset] = {
+  '*filter' => 1,
+  ":INPUT #{node['firewall']['iptables']['defaults'][:policy][:input]}" => 2,
+  ":FORWARD #{node['firewall']['iptables']['defaults'][:policy][:forward]}" => 3,
+  ":OUTPUT #{node['firewall']['iptables']['defaults'][:policy][:output]}" => 4,
+  'COMMIT_FILTER' => 100,
+}
+
+default['firewall']['ubuntu_iptables'] = false
+default['firewall']['redhat7_iptables'] = false
+default['firewall']['allow_established'] = true
+default['firewall']['ipv6_enabled'] = true

cookbooks/firewall/attributes/ufw.rb

@@ -0,0 +1,12 @@
+default['firewall']['ufw']['defaults'] = {
+  ipv6: 'yes',
+  manage_builtins: 'no',
+  ipt_sysctl: '/etc/ufw/sysctl.conf',
+  ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns',
+  policy: {
+    input: 'DROP',
+    output: 'ACCEPT',
+    forward: 'DROP',
+    application: 'SKIP',
+  },
+}

cookbooks/firewall/attributes/windows.rb

@@ -0,0 +1,8 @@
+# Windows platform defult settings: block undefined inbould traffic, allow all outgoing traffic
+
+default['firewall']['windows']['defaults'] = {
+  policy: {
+    input: 'blockinbound',
+    output: 'allowoutbound',
+  },
+}